Contrary to media reports that said Reserve Bank has directed banks to adopt Aadhaar, the RBI has advised banks to chose either EMV chip and PIN or Aadhaar’s biometric validation as additional factor for authentication and securing the card present payment infrastructure

The Reserve Bank of India (RBI) has said that banks are free to adopt either Euro pay MasterCard Visa (EMV) chip and Pin technology or Aadhaar acceptance as additional factor of authentication for securing the card present payment infrastructure. However, several mainstream media reported that RBI has asked banks to adopt Aadhaar authentication only.

In a notification, the central bank said, "In respect of cards, not specifically mandated by the Reserve Bank to adopt EMV norms, banks may take a decision whether they should adopt Aadhaar as additional factor of authentication or move to EMV Chip and Pin technology for securing the card present payment infrastructure."

However, the RBI has advised banks to keep their new card present infrastructure enabled to use both EMV chip and PIN and Aadhaar (biometric validation) acceptance. It may be noted that EMV cards are 'smart' cards that have an embedded chip while PIN authentication involves the card-holder to punch in a secret code on the card-swiping machine, for each transaction.

Interestingly, about 90% of the existing point of sales (POS) terminals in the country, managed by 21 acquirers (among them Axis Bank, HDFC Bank and ICICI Bank), can accept EMV chip cards and PIN.

According to a report by a "Working Group on Securing Card Present Transactions" of the RBI, there is a need to put in place a series of measures to strengthen the payments infrastructure and ecosystem in the country. Inferences drawn from case studies clearly indicate the need to have a much stronger authentication mechanism and reiterate the need for a second factor (2FA) for card present transactions.

"In the absence of 2FA for POS transactions there is a possibility of the fraud losses increasing by more than 200% in a single year, in the event of a sharp increase in fraud incidents in the country. There is also a possibility of POS FTS (fraud-to-sales ratio) increasing by around 200 basis points in one year under adverse conditions," the report said.

The report discusses new systems like EMV chip cards with PIN that has been adopted by many countries and enhancing the current magnetic strip devices (MSDs) card system with help from biometric identification.

"Aadhaar (issued by the Unique Identification Authority of India - UIDAI) authentication using biometrics, provides a strong 'Who you are' factor of authentication. This can be combined with a second 'What you have' or 'What you know' factor to achieve strong customer identification at the point of sale."

While the option to use biometrics from the UIDAI database looks good, in practice, due to insufficient feasibility tests, it may not be a viable option. "The working committee considered biometric, or UID, as the second factor in one of the solution sets; however, the decision to adopt this would depend on various factors like the number of UIDs issued to the population which transacts through cards, the error rates, authentication network capability to handle transaction volumes, network capability to handle enhanced transaction size and acquiring infrastructure," the report said.

Moreover, biometric (fingerprint) identification is not foolproof. Especially, in some merchant categories like fuel stations and restaurants, there are execution challenges in adopting PIN or biometric as an additional factor of authentication. In addition, it is well known that finger prints and irises can be faked, and one way to fix that problem could be to use finger-print readers that detect live finger prints, and iris readers that detect live irises.

According to JT D'Souza, who analysed the pilot study conducted by the UIDAI, given the well-known lacunae in our infrastructure and massive demographics, biometrics as an ID will be a guaranteed failure and result in denial of service. He said, "The sum of false acceptance rate and false rejection rate (EER) reveals only part of the problem, which is rejection or acceptance within a short duration of enrolment. The bigger problem is ageing, including health and environment factors, which causes sufficient change to make biometrics completely unusable and requires very frequent re-enrolment."

According to a report in the Economic Times, the UIDAI is pushing for biometric authentication for credit card and ATM transactions, but bankers are reluctant to make changes since technology costs are high. Bankers argue that upgrading every ATM and PoS terminal at thousands of merchant outlets will not come cheap, besides travails and risks of a new technology, says the report.

But aren’t we forgetting something here? ATM with biometrics is not a new idea. It has been tried and discarded as a failure when the ATMs did not authenticate the biometrics of many underprivileged persons (during the pilot launch) and left them without access to their own funds, especially when banks were closed.

The drumbeat for biometric ATMs began in 2005. On 1 December 2006, Citibank had issued a global release about the launch of its biometric ATM with multi-language voice instruction capability. It had tied up with a NGO called Swadhar FinAccess and a microfinance firm for Citibank Pragati for (no frills) accounts. The experiment ended in a whimper.

In 2007, Andhra Bank had launched biometric ATMs and wanted to make the mobile, to cater to the burgeoning microfinance business. Canara Bank set up its first biometric-based ATM at Dharavi, in Mumbai in 2008 with much fanfare.

The ground reality turned out to be completely different. According to information provided by several non-government organisations (NGOs) spreading financial literacy in that area, the biometric ATMs in Dharavi failed from day one. The reason? Working class there, especially housemaids and other labours do not have fingerprints without which they could not operate the ATM!

Not having fingerprints is just one of the issues with the biometric-based ATMs. The more serious issue is the danger it may pose to the user as thieves may stalk and assault the person to gain access. If the item is secured with a biometric device, the damage to the owner could be irreversible, and potentially cost more than the secured property. For example, in 2005, Malaysian car thieves cut off the finger of a Mercedes-Benz S-Class owner when attempting to steal his car.

In addition, the biometric-based passwords are irreversible. That means it cannot be re-issued in case of loss or theft. If a token or a password is lost or stolen, it can be cancelled and replaced by a newer version. This is not naturally available in biometrics. If someone's face or fingerprint is compromised from a database, it cannot be cancelled or reissued.

Another problem associated with the biometric-based ATM is its cost, both installation and operations. The biometric-based ATMs, as proposed by the Reserve Bank of India (RBI) that would facilitate use to Aadhaar data, are more costly than the regular card-based ATMs. While consumers are increasingly complaining about reasonableness of bank charges, the banks themselves are lobbying hard with the RBI, claiming that high cost of technology is making each transaction very expensive.

Therefore, while on paper the use of biometrics as 2FA may sound feasible, its uses would be limited at specific locations. In this situation, EMV chip cards and PIN look like the future proof system, despite the higher costs, for card-based transactions. Nevertheless, this may not be the last in payment transaction systems.

EMV Implementation

In many countries of the world, debit card and/or credit card payment networks have implemented liability shifts. Normally, the card issuer is liable for fraudulent transactions. However, after a liability shift is implemented, if the ATM or merchant's point of sale (PoS) terminal does not support EMV, then the ATM owner or merchant will be liable for the fraudulent transaction.

According to Wikipedia, MasterCard's liability shift between countries within Asia-Pacific region took place on 1 January 2006, whereas Visa's liability shift for PoS took place on 1 October 2010. For ATMs, Visa's liability shift date is 1 October 2015, except in China, India, Japan, and Thailand, where the liability shift will be 1 October 2017.

User

Alert me when a new comment is posted

COMMENTS

Yerram Raju Behara

3 years ago

On November 28, 2012 I have commented in my blog with specific reference to Direct Benefit transfers as 'game changers' as follows:"Adding to this the Banks are intermediaries in the whole effort. Several banks have everyday new issues with Banking Correspondents and there are leakages that they are grappling with to resolve. Not all financial inclusion accounts even in the designated villages were opened with Aadhar ID as base of KYC. Now they will ask each account holder to give fresh KYC form with Aadhar card fascimile. Aadhar will have discrepancies with those that are already having accounts. The Banks confirmed that they have followed the KYC and the auditors/Inspectors have confirmed.Some are already receiving their MNREGA wages or pensions through this KYC. Now which would they count for accepting credits? Unless the Aadhar card ID is fully integrated with the Bank accounts and the persons holding accounts under Financial Inclusion eligible to receive the 29 categories of subsidies confirm, the whole process would be in a limbo and these cannot certainly be resolved in these inaugural villages of fifty one. God save the poor - any way he is still saving them!

Game changer:

Yes; it is a game changer for the politician eager to grab votes from the poor in some fashion or the other. The game changes but the poor would for sure remain poor for the politician will have the untainted access to the purse of the poor in a straight cash deal."
The Banks are on a high frequency change. Technology introduction for new initiatives is costly and as happened thus far the customer will be loaded with such costs in a number of ways. The fundamental question is: will the customer gain in the faster? If he does gain, which class he belongs to. Every experiment in this country is at the cost of the poor. It is not MPs'/MLAs' remunerations of sorts that are linked to AADHAR for it is no surprise some of them don't even have the Aadhar! The contractors do not get their payments linked to Aadhar! But the wages of the poor, the pensions and all other benefits to the poor are through this instrument tested myopically are linked. Now the EMVs.
Banks are given the choice; fine. Most banks are system driven and customer centric initiatives with larger numbers to access are perhaps still waiting in the corridors!!

MG Warrier

3 years ago

Economic Times report on the subject today carried the headline “Aadhaar Link Mandatory for Card deals Now” (November 27). I have responded asunder:
On the basis of the recommendations of a Working Group which had examined the issues including those relating to security features in card payment system, RBI has advised banks that:
• In respect of cards, not specifically mandated by the Reserve Bank to adopt EMV norms, banks may take a decision whether they should adopt Aadhaar as additional factor of authentication or move to EMV Chip and Pin technology for securing the card present payment infrastructure.
• All new card present infrastructure has to be enabled for both EMV chip and PIN and Aadhaar (biometric validation) acceptance.
As banks have been given the option to decide whether they should adopt Aadhaar as additional factor of authentication, ET headline for the report is misleading.
Further, as AADHAAR is slipping from one confusion to the next one fast since the idea was conceived, latest one being the controversy about biometric security featires of Aadhaar being examined by the Apex Court, will it not be prudent to wait till Aadhaar itself stabilises before going ahead with making it mandatory for various purposes?
M G WARRIER, Mumbai

A sensible article unlike the utopian "thin air" thinking of UIDAI and RBI.

Hemant K Chitale

Tata sons informed RBI and indicted that, its current model best supports the needs of the group’s domestic and overseas strategy

Tata Sons, the holding company of the India’s largest, $100 billion conglomerate Tata Group, has withdrawn its application of new banking licence.

In a release, Reserve Bank of India (RBI) said Tata Sons has withdrawn its application made on 1 July 2013 for new bank licence and the central bank has accepted withdrawal of the application.

“The company has indicated that its current financial services operating model best supports the needs of the Tata group’s domestic and overseas strategy, and provides adequate operating flexibility to its companies, while securing the interests of the group’s diverse stakeholder base,” the release stated.

Tata Sons in a statement said, "Tata Sons remains committed to financial inclusion and believes that the group’s existing financial services footprint uniquely positions it to provide technology excellence and access to India’s hinterland. The company shall continue to monitor developments in this space with great interest and looks forward to participating in the banking sector at an appropriate time".

Earlier last week, speaking at BANCON 2013 in Mumbai, finance minister P Chidambaram had said, “In January 2014 new banking licenses will be issued and I wish it would be given to banks with innovative or different models of banking. We need different kinds of banks to cater to different segments in our country. And I would regret if 'clone' banks are given new licences”.

In February, the RBI released guidelines to allow corporate houses to form banks, part of an effort to expand access to financial services in a country where only about half the population has a bank account. With this effect total 26 corporate firms applied for banking licence including big conglomerates like Aditya Birla Nuvo, Bajaj Finance, L&T Finance, and Reliance Capital.

After Tata’s withdrawal Bank licence application count comes to 25. The winners of banking licence are expected to be announced by the first quarter of 2014.

User

Alert me when a new comment is posted

COMMENTS

Suiketu Shah

3 years ago

I wonder when new banking licenses wl be issued?Jan 2014 before elections?In which case we are not far off end Jan 2014 from now.

Maruti Suzuki to recall 1,492 vehicles sold after 19 October 2013 to replace defective steering column of its Ertiga, Swift, Swift Dzire and A-Star variants

Maruti Suzuki India Ltd (Maruti Suzuki), the country's largest carmaker said it would recall 1,492 units to inspect the steering column and replace it, if found affected. The carmaker would recall 306 units of Ertiga, 592 of Swift, 581 of Swift Dzire and13of A-Star manufactured during 19 October 2013 to 26 October 2013.

“If the steering column is found defective, the company will replace the steering column free of cost. This exercise is limited to vehicles within the above specified range and does not pertain to any other vehicle of the Company or any of its exports,” Maruti Suzuki said in a notice on its website.

Maruti Suzuki dealers will contact owners of all vehicles which need to get inspected. Company already dispatched the new steering column to the dealer workshops.

Users of Maruti Suzuki cars (Ertiga, Swift, Dzire and A-Star) purchased after 19 October 2013 can check the website http://marutisuzuki.com/ and fill the chassis number on the website or can contact nearest Maruti Suzuki dealer workshop to ascertain if their car is among the above vehicles.

During the September, the carmaker reported a 19.6% growth in vehicle its sale and sold 2.75 lakh units, including exports, during the second quarter.